The Exim development team has addressed a vulnerability in Exim mail server, tracked as CVE-2019-15846, that could be exploited by local and remote attackers to execute arbitrary code with root privileges.
The vulnerability is a heap overflow that affects version 4.92.1 and prior of Exim mail server that accept TLS connections. The vulnerability affects both GnuTLS and OpenSSL.
“A local or remote attacker can execute programs with root privileges.” reads the security advisory.
According to Exim developers, the flaw could be exploited by an attacker sending
“If your Exim server accepts TLS connections, it is vulnerable. This does not depend on the TLS
“The vulnerability is exploitable by sending a SNI ending in a
Developers confirmed that the exploit exists as a POC, but pointed out that they are not aware of attacks in the wild that exploited the issue.
Researchers from Qualys have developed a proof-of-concept (PoC) exploit code for the flaw.
Below the timeline of the vulnerability:
Possible mitigation consists of configuring the server to not accept TLS connections, but it is not recommended or adding rules to the access control list (ACL).
In June, security experts reported that millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions were under attack, threat actors were exploiting the CVE-2019-10149 flaw to take over them.
The critical vulnerability affected versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The flaw could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.
A few days later, malware researchers at Cybaze-Yoroi ZLAB observed many attack attempts trying to spread malware abusing the CVE-2019-10149 issue.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.